Password Cracking 101

transcript

City of Phoenix

Information Security and Privacy Office

Agenda

• Computer accounts

• Password cracking methods

• Guess how long it takes to crack a password

• Creating a strong password

• Tools for home use

Computer Accounts

• Identify you to the

computer system or

network

• Your permissions to

access info and

systems are based

on your account

Passwords

• Verify that the person logging into the computer system or network is who he claims to be

• In other words, your password says you are the account owner

• aka authentication

Free Bonus Info! Authentication Factors

• Something you know

– Password

• Something you have

– Badge, token, digital certificate

• Something you are (biometric)

– Fingerprint, retina

• More factors = Stronger authentication

Why Is a Strong Password Important?

• Like the key to your house, your password is the key to your computer account, your access privileges, and your information

• Passwords provide the first line of defense against unauthorized access

• Strong passwords help protect the confidentiality, integrity, and availability of your information and systems

Strong passwords can’t be easily guessed

Strong Passwords Are Not Shared

Are These Strong Passwords?

Strong Passwords Are Easy to Remember

• So you don’t have to

write them down

Strong Passwords Can’t Be Easily Cracked

• Password cracking:

Using computing

technology and power

to discover a password

• A typical desktop

computer can try

between 100,000 and

1 million passwords per

second

Making a Strong Password

• Contains a combination of words, numbers, and characters from an easy-to-remember sentence or phrase

• Does not contain words in a dictionary, regardless of the language

• Does not contain a proper name, such as your spouse’s name

• Does not contain numbers associated with you in any way, such as your dog’s birthday or your child’s social security number

Using a Password Strength Checker

• “Call me paranoid, but how do we know these sites aren’t harvesting

the passwords they test?”

• Don’t use your actual password

• Use a “test” password with the same number

of letters (caps and lower case), numbers, and

special characters in the same locations as

your actual password

• Your actual password would have the same

strength

Password Cracking 101

Cracking Methods

• Dictionary

– Tries words in a dictionary (any language)

• Pre-computed

– Compares encrypted password with lists

of cracked passwords

• Hybrid

– Checks common numbers or symbols

substitutes for letters, such as 3 for E,

or $ for S

• Brute Force

– Attempts every combination of characters

WARNING

• Password cracking programs are available

on the Internet

• Do NOT visit sites that host them

• Do NOT download them

• Why?

– These sites often contain malware

Time to Crack

Password Crack Method Time to Crack

Barbara1

Chicago5

Gandalf1

Time to Crack

Barbara1 Dictionary 0d0h0m0s

Chicago5 Dictionary 0d0h0m0s

Gandalf1 Dictionary 0d0h0m0s

Time to Crack

October7

0ctobeR7

Time to Crack

October7 Dictionary 0d0h0m1s

0ctobeR7 Brute Force 0d2h23m7s

Time to Crack

time2Fly

Sp1drman

Qwert123

Time to Crack

time2Fly Brute Force 0d1h35m33s

Sp1drman Brute Force 0d0h11m17s

Qwert123 Hybrid 0d0h0m25s

Time to Crack

goBears4

goBears!

GoEag1es

GoE@g1es

Time to Crack

goBears4 Brute Force 0d2h33m58s

goBears! Brute Force 0d2h32m58s

GoEag1es Pre-computed 0d0h2m47s

GoE@g1es Brute Force 0d5h13m38s

Sample Output

Time to Crack

4*20+7ya

4sc&7yrA

87yr.aGo

Time to Crack

4*20+7ya Brute Force > 1d6h24m3s

4sc&7yrA Brute Force > 1d6h24m3s

87yr.aGo Brute Force > 1d6h24m3s

Still Going…

Key Take Away

• The longer and more complex a password,

the harder it is to crack

Bad Passwords

• Personally related to you

– Address, birthday, anniversary,

license plate, social security

number, favorite car, hobby, or

sports team

• Job-related

– Job title, work location

• Family-related

– Spouse, children, or pets’

names or birthdays

• Similar to or match

your User ID

• Dictionary words

– No matter what the language

Picking a Strong Password

Unleash Your Creativity! Base Passwords on a Phrase

• 4*20+7ya

• 4sc&7yrA

• 87yr.aGo

• Fourscore and seven years

ago (Gettysburg Address)

Unleash Your Creativity! Base Passwords on a Phrase

• Wygc?GB!

Use a Keyboard Pattern

• 3$5EdZxc

– Forms the letter “I” (kinda)

How Many Passwords?

• Work

• Personal – high security

– Online banking

• Personal – low security

– News sites

• Recommended

– Social media ONLY

Tools for Home Use

• Password Safe

– Free Windows utility

– Designed by Bruce Schneier

– Keeps passwords securely

encrypted on your computers

– Just one “Safe Combination”

to remember

• http://passwordsafe.sourceforge.net/

City of Phoenix does not endorse or support any tools for home use

Tools for Home Use

• LastPass

– Free utility

– Just one “master password” to remember

– Can automatically log you on to web sites

and complete forms needed to buy goods

online

• https://lastpass.com/features_free.php

City of Phoenix does not endorse or support any tools for home use

Reminder

• Change default passwords

– Passwords that “come with” a device or set by

the vendor

You Can

• Protect yourself

• Pick strong,

easy-to-remember

passwords!

Resources

• Password Meter password strength checker

– http://www.passwordmeter.com/

• Computer World’s review of password managers

– http://www.computerworld.com/s/article/9191339/4_p

assword_managers_offer_security_anytime_anywher

e?source=CTWNLE_nlt_security_2010-10-18

• Password Managers

– http://passwordsafe.sourceforge.net/

– https://lastpass.com/features_free.php

Thanks!

Questions? Contact

ispo@phoenix.gov

Password Cracking 101

Documents